Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a9e5d955 authored by Amit Pundir's avatar Amit Pundir
Browse files

net: core: fix Null ptr dereference in UID-based routing 



sock_i_uid(struct sock *) is being called without checking
for a valid "struct sock" pointer, resulting in following
Null pointer dereference:

[   17.633071] Unable to handle kernel NULL pointer dereference at virtual address 00000198
[   17.641087] pgd = ffffffc07a554000
[   17.644465] [00000198] *pgd=00000000fa49b003, *pud=00000000fa49b003, *pmd=0000000000000000
[   17.652669] Internal error: Oops: 96000006 [#1] PREEMPT SMP
[   17.658186] Modules linked in:
[   17.661217] CPU: 1 PID: 1333 Comm: S21avahi-daemon Not tainted 4.0.0-rc7+ #2
[   17.668195] Hardware name: ARM Juno development board (r0) (DT)
[   17.674055] task: ffffffc976936800 ti: ffffffc079c0c000 task.ti: ffffffc079c0c000
[   17.681470] PC is at _raw_read_lock_bh+0x34/0x54
[   17.686042] LR is at sock_i_uid+0x24/0x64

Not that we need to check for valid pointer everytime we call
sock_i_uid() but plan is to at least do it when we are doing
this Null pointer check for other arguments.

Change-Id: I04521c1c38179687acd91d155ea2fd4658573ae7
Signed-off-by: default avatarAmit Pundir <amit.pundir@linaro.org>
parent 4335ab13

include/net/route.h

+1 −1
Original line number Diff line number Diff line
@@ -140,7 +140,7 @@ static inline struct rtable *ip_route_output_ports(struct net *net, struct flowi 
	flowi4_init_output(fl4, oif, sk ? sk->sk_mark : 0, tos,

			   RT_SCOPE_UNIVERSE, proto,

			   sk ? inet_sk_flowi_flags(sk) : 0,

			   daddr, saddr, dport, sport, sock_i_uid(sk));

			   daddr, saddr, dport, sport, sk ? sock_i_uid(sk) : GLOBAL_ROOT_UID);

	if (sk)

		security_sk_classify_flow(sk, flowi4_to_flowi(fl4));

	return ip_route_output_flow(net, fl4, sk);

net/ipv4/route.c

+1 −1
Original line number Diff line number Diff line
@@ -516,7 +516,7 @@ static void __build_flow_key(struct flowi4 *fl4, struct sock *sk, 
			   RT_SCOPE_UNIVERSE, prot,

			   flow_flags,

			   iph->daddr, iph->saddr, 0, 0,

			   sock_i_uid(sk));

			   sk ? sock_i_uid(sk) : GLOBAL_ROOT_UID);

}



static void build_skb_flow_key(struct flowi4 *fl4, const struct sk_buff *skb,